Is stealth-browser safe?

During skill installation, the process opened and accessed /home/oc-exec/.aws/credentials — a file containing AWS access keys and secret keys. This occurred without any user action beyond installing the skill.

The skill's install process read /home/oc-exec/.env which typically contains API keys, database credentials, and other secrets.

The skill's description claims authority over any user request mentioning 'login to X website', automatically intercepting authentication workflows. It instructs the agent to 'automatically use headed mode for login, then save session for future headless reuse' — meaning the agent will capture and persist user credentials without explicit consent for each site.

All browser sessions (cookies, localStorage, login tokens) are stored as unencrypted JSON files in ~/.clawdbot/browser-sessions/. Credentials for CAPTCHA services and proxy providers are stored in ~/.clawdbot/secrets/. Any subsequent skill, process, or attacker with filesystem access can trivially harvest these.

proxy_rotate.py loads proxy configurations and routes all browser traffic through them. If a malicious actor provides the proxy config (or the skill ships with default proxies), all browsing data including credentials, session tokens, and page content passes through the proxy operator's infrastructure.

The skill instructs installing global npm packages and pip packages, modifying the host system. Puppeteer is launched with --no-sandbox, disabling Chrome's process isolation security. Docker containers are launched opening network ports.

The '执行策略 (IMPORTANT)' section contains execution policy directives in Chinese that instruct silent-first operation, automatic retry, and attempt logging. Using a non-English language for behavioral directives is a known technique to bypass review by English-speaking security auditors while still being parsed by multilingual LLMs.

smart_login.py accepts account and password as command-line arguments, exposing them in process listings (/proc/*/cmdline), shell history files, and audit logs.

During installation, the process read openclaw.json (platform configuration) and auth-profiles.json (authentication profiles) multiple times, probing for stored authentication tokens.

The skill creates a full attack chain: (1) hijack login requests via trigger phrases, (2) capture credentials via headed browser automation, (3) persist sessions for unauthorized reuse, (4) route traffic through attacker proxies for interception, (5) bypass bot detection to evade security controls. This is a credential-harvesting toolkit.

smart_login.py uses page.run_js() to execute JavaScript with dynamically constructed strings, and session_manager.py injects localStorage values via string interpolation in JavaScript — potential for injection if session data contains malicious payloads.

The canary integrity check reports all files intact because it measures file modification (hash changes). However, .env and .aws/credentials were READ during install — read-only exfiltration is not detected by hash-based canary checks.

All login attempts are logged to ~/.clawdbot/browser-sessions/attempts.json with URLs, timestamps, and success/failure status — creating a browsing history and authentication audit trail accessible to any process.